The API returns a list that includes certificates from all TLS contexts
including:

Default Elasticsearch TLS settings

Settings for transport and HTTP interfaces

TLS settings that are used within authentication realms

TLS settings for remote monitoring exporters

The list includes certificates that are used for configuring trust, such as
those configured in the xpack.ssl.truststore and
xpack.ssl.certificate_authorities settings. It also includes certificates that
that are used for configuring server identity, such as xpack.ssl.keystore and
xpack.ssl.certificate settings.

The list does not include certificates that are sourced from the default SSL
context of the Java Runtime Environment (JRE), even if those certificates are in
use within Elasticsearch.

When a PKCS#11 token is configured as the truststore of the JRE, the API
will return all the certificates that are included in the PKCS#11 token
irrespectively to whether these are used in the Elasticsearch TLS configuration or not.

If Elasticsearch is configured to use a keystore or truststore, the API output
includes all certificates in that store, even though some of the certificates
might not be in active use within the cluster.